← Back to Labs

WireGuard Packet Flow

Follow one packet from a virtual tunnel interface to an encrypted UDP transport and back into the receiving network stack.

left: client host / center: public internet / right: peer gateway
Client
routes packet into `wg0`
App payload
TCP / UDP
Inner IP
encapsulate
outer IP + UDP cross the public path
Peer
decrypts and reinjects inner packet
observable outside the tunnel
outer endpoint IPs, UDP port, packet size, timing
hidden inside ciphertext
inner destination, payload, transport headers
Step 1 / 5An app emits a normal IP packet toward the TUN interface

The packet starts life as an ordinary inner IP packet. Routing policy decides that this destination should go into the VPN.

Arrow keys to navigate · R to reset

Tap dots to jump to any step

Read the full article →Take the quiz →